Tài liệu Scene Of The Cybercrime Computer Forensics Handbook docx

Collecting Statistical Data on Cybercrime 11Understanding the Crime Reporting System 11Categorizing Crimes for the National Reporting System 13Toward a Working Definition of Cybercrime 1

s o l u t i o n s @ s y n g r e s s c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author” customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the maximum value from your investment We’re listening

www.syngress.com/solutions

Debra Littlejohn Shinder

Ed Tittel Technical Editor

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results

to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc “Mission Critical™,”“Hack Proofing®,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Scene of the Cybercrime: Computer Forensics Handbook

Copyright © 2002 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-65-5

Technical Editor: Ed Tittel Cover Designer: Michael Kavish

Acquisitions Editor: Andrew Williams Page Layout and Art by: Personal Editions

Developmental Editor: Kate Glennon Copy Editor: Darlene Bordwell

Indexer: Claire A Splan Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support

in making this book possible

Richard Kristof and Duncan Anderson of Global Knowledge, for their generousaccess to the IT industry’s best courses, instructors, and training facilities

Ralph Troupe, Rhonda St John, and the team at Callisma for their invaluable insightinto the challenges of designing, deploying and supporting world-class enterprise networks

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, PegO’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, PatriciaKelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of PublishersGroup West for sharing their incredible marketing experience and expertise

Jacquie Shanahan, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains world-wide in scope

Annabel Dent and Paul Barry of Elsevier Science/Harcourt Australia for all their help

David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,and Joseph Chan of Transquest Publishers for the enthusiasm with which they receiveour books

Kwon Sung June at Acorn Publishing for his support

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, DarleneMorrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associatesfor all their help and enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks atJaguar Book Group for their help with distribution of Syngress books in Canada

A special welcome to the folks at Woodslane in Australia! Thank you to David Scottand everyone there as we start selling Syngress titles through Woodslane in Australia,New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands

This book is the culmination of three separate but intertwined vocations I’vepursued during my life: law enforcement, computer networking (a.k.a IT), andwriting.They say that in the end, the last shall be first, and that was and is true forme.To be a professional writer was one of my first aspirations, way back in eighthgrade when I scrawled my first (badly written but somewhat complete) 300-pagenovel on notebook paper and loaned it out to friends like a one-person library Iwent on to write for and edit my high school and college newspapers, and the

teachers and friends who encouraged my ambitions back then deserve the first debt of gratitude: Bobbie Ferguson, Michael Britton, and Barbara Gifford Brown—wherever you are now, thank you

I never gave up that dream, but the kind of writing I was doing early on didn’tpay the bills, so I followed in my father’s footsteps into government work, and ended

up falling in love with law enforcement and following that path for the third decade

of my life.Without my experience as a police officer and police academy instructor,this would be just another tech book, so I want to thank some of those who made allthat possible: Larry Beckett, Sarah Whitaker, Danny Price, Marty Imwalle, MikeWalker, Patt Scheckel-Hollingsworth, Lin Kirk Jones, and Neal Wilson

I enjoyed being a cop, but as I got older, I found there was something else Ienjoyed even more—and it was easier on the body and paid better, to boot I’d been

a computer hobbyist for a long time (my old VIC-20 and Commodore 64 are stillhere on a high shelf in the closet) and after meeting my husband online, together weset up our home network and studied together to become MCSEs He was as tired

of medicine as I was of police work, and when it came time for us to look for a newcareer we could share, the solution was obvious.The tech world beckoned.We didconsulting for a while, and then started teaching.There were many who helped usalong the way: Cash Traylor, Johnnie and Irene at Eastfield,Thomas Lee and everyone

on the Saluki list, David (Darkcat) Smith and the gang at DigitalThink, Donna Gang

at Technology Partners, and all our students in the MCSE programs

Through it all, writing was still my secret passion.When the opportunity arose toauthor tech books, it seemed that my life had come full circle For providing thatopportunity, I have to thank the folks at Syngress and Dave Dusthimer at Cisco Press.Many people contributed to the success of my and Tom’s writing careers, especiallyJulie, Maribeth, Kitty, Carl, our tech editors, and most of all, the readers who boughtthe books

Which brings us to this book I had a huge amount of input and assistance frommany corners, all of which added value and made writing it easier and more fun:Andrew Williams, who made it possible; James Michael Stewart, without whose contributions to Chapters 8 and 9 this book would not have been finished on time;

“Tech Ed”Tittel and Developmental Editor Kate Glennon, whose comments andquestions kept me on my toes I also want to thank David Rhoades of MavenSecurity, for the information about “click kiddies,” and all the law enforcement officers who shared their experiences and cybercrime expertise, especially Wes Edens,Glen Klinkhart, Dave Pettinari,Troy Lawrence, Bryan Blake, Dean Scoville, RobertBell, Bud Levin and Robert S Baldygo, James Rogers, Bob Foy, Michael J.West,TomBurns, and Ira Wilsker

Finally (and the first shall be last), there were the friends and family memberswho provided encouragement all along the way.This book is dedicated to Tom (myhusband, best friend, and business partner, who also wrote part of the section onname resolution in Chapter 5), Kris and Kniki (the two best kids in the world),Mom, Dad (whom I still miss every day), Jeff Tharp (one of the few friends who

really did keep in touch after he moved away), all the Piglets (especially Bob, Lash,

Dee, Robert, Shawn, bud, the Buerger King, Chief Al, MikeO and “Ms.V,WhereverYou Are”), the MarketChat gang, the Storytalkers, the Writingchatters and all therodents of unusual sizes on the CBP and related lists

—Debra Littlejohn Shinder

Debra Littlejohn Shinderis a former Police Sergeant and PoliceAcademy Instructor, turned IT professional She and her husband, Dr.Thomas W Shinder, have provided network consulting services to busi-nesses and municipalities, conducted training at colleges and technicaltraining centers, and spoken at seminars around the country Deb special-izes in networking and security, and she and Tom have written numerous

books, including the best selling Configuring ISA Server 2000 (Syngress

Publishing, ISBN: 1-928994-29-6), and Deb is the sole author of

Computer Networking Essentials Deb also is the author of over 100 articles

for print publications and electronic magazines such as TechProGuild,

CNET, 8Wire, and Cramsession Deb is a member of the editorial board of

the Journal of Police Crisis Negotiations and the advisory board of theEastfield College Criminal Justice Training Center

Ed Tittelis a 20-year veteran of the computing industry who hasworked as a programmer, systems engineer, technical manager, writer,consultant, and trainer A contributor to over 100 computer books, Edcreated the Exam Cram series of certification guides Ed also writes for numerous Web sites and magazines on certification topics including

InformIT.com, Certification and IT Contractor magazines, and numerous

TechTarget venues (www.searchsecurity.com, www.searchnetworking.com,www.searchWin2000.com, www.searchWebManagement.com).When he’s not busy writing, researching, or teaching, Ed likes to shoot pool,consume the occasional glass of red wine, and walk his Labrador retriever,Blackie

James Michael Stewart (MCSE, CCNA, CISSP,TICSA, CIW SecurityAnalyst) is a writer, researcher, and trainer who specializes in IT securityand networking related certification topics A contributor to over 75books, Michael has most recently contributed to titles on CISSP,TICSA,Windows 2000, and Windows XP topics Michael also teaches for

NetWorld + Interop twice yearly, where he offers courses on Windowssecurity and on Windows performance optimization and tuning In hisspare time, Michael is an avid handyman, waterskier, world traveler, and adancin’ fool (primarily the two-step)

Michael Cross(MCSE, MCP+I, CNA, Network+) is an InternetSpecialist and Programmer with the Niagara Regional Police Service and has also served as their Network Administrator Michael performs

Technical Editor and Contributor

Contributors

computer forensic examinations of computers involved in criminal tigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes He is responsible for designing and maintainingtheir Web site at www.nrps.com, and two versions of their Intranet (oneused by workstations, and another accessed through patrol vehicles) Heprograms applications used by various units of the Police Service, hasbeen responsible for network security and administration, and continues

inves-to assist in this regard Michael is part of an Information Technology teamthat provides support to a user base of over 800 civilian and uniformusers His theory is that when the users carry guns, you tend to be moremotivated in solving their problems

Previous to working for the Niagara Regional Police Service, Michaelworked as an instructor for private colleges and technical schools inLondon, Ontario, Canada It was during this period that he was recruited

as a writer for Syngress Publishing, and became a regular member of their writing team Michael also owns KnightWare, a company that provides Web page design and other services He currently resides in

St Catharines, Ontario Canada, with his lovely wife, Jennifer

Collecting Statistical Data on Cybercrime 11Understanding the Crime Reporting System 11Categorizing Crimes for the National Reporting System 13Toward a Working Definition of Cybercrime 15

International Law:The United Nations Definition of Cybercrime 17

Violent or Potentially Violent Cybercrime Categories 19

Determining Who Will Fight Cybercrime 35

Educating Legislators and Criminal Justice Professionals 38Educating Information Technology Professionals 39Educating and Engaging the Community 41

Getting Creative in the Fight Against Cybercrime 41Using Peer Pressure to Fight Cybercrime 42Using Technology to Fight Cybercrime 43Finding New Ways to Protect Against Cybercrime 44Summary 45

Resources 47

Chapter 2 Reviewing the History of Cybercrime 49

Introduction 50Exploring Criminality in the Days of Standalone Computers 51

Understanding Early Phreakers, Hackers, and Crackers 53

Phreaking on the Other Side of the Atlantic 54

Living on the LAN: Early Computer Network Hackers 55How BBSs Fostered Criminal Behavior 56How Online Services Made Cybercrime Easy 57Introducing the ARPANet:: the Wild West of Networking 58

ARPA Turns Its Talents to Computer Technology 59Network Applications Come into Their Own 60The Internetwork Continues to Expand 60

The Worm Turns—and Security Becomes a Concern 61Watching Crime Rise with the Commercialization of the Internet 61Bringing the Cybercrime Story Up to Date 62Understanding How New Technologies Create New

Vulnerabilities 62Why Cybercriminals Love Broadband 63Why Cybercriminals Love Wireless 67Why Cybercriminals Love Mobile Computing 72Why Cybercriminals Love Sophisticated Web and

Why Cybercriminals Love E-Commerce and

Why Cybercriminals Love Instant Messaging 84Why Cybercriminals Love New Operating Systems and Applications 87Why Cybercriminals Love Standardization 87Planning for the Future: How to Thwart Tomorrow’s

Cybercriminal 88Summary 89

Criminals Who Use the Net as a Tool of the Crime 120Criminals Who Use the Net Incidentially to the Crime 127Real-Life Noncriminals Who Commit Crimes Online 128

Resources 145

Chapter 4 Understanding Computer Basics 147

Introduction 148

Components of a Digital Computer 150

The Roles of the Processor and Memory 153

Why This Matters to the Investigator 163

Wandering Through a World of Numbers 165

Understanding the Binary Numbering System 166Converting Between Binary and Decimal 167Converting Between Binary and Hexadecimal 167

Why This Matters to the Investigator 169Understanding Computer Operating Systems 171Understanding the Role of the Operating System Software 172Differentiating Between Multitasking and

Multitasking 173Multiprocessing 174Differentiating Between Proprietary and Open Source

FAT12 193FAT16 194

VFAT 194FAT32 194NTFS 195

Packets, Segments, Datagrams, and Frames 211

Network Types and Topologies 213Why This Matters to the Investigator 215Understanding Networking Models and Standards 215

The Physical/Data Link Layer Standards 220Why This Matters to the Investigator 220

The Role of the Network Media 221The Roles of Network Connectivity Devices 223Why This Matters to the Investigator 231

Understanding Client/Server Computing 232

Network File Systems and File Sharing Protocols 237

A Matter of (Networking) Protocol 238Understanding the TCP/IP Protocols Used on the Internet 240

The Need for Standardized Protocols 240

The Internet Protocol and IP Addressing 242

The Transport Layer Protocols 254

Why This Matters to the Investigator 272Summary 273

Resources 277

Chapter 6 Understanding Network Intrusions and Attacks 279

Introduction 280Understanding Network Intrusions and Attacks 282

Brute Force 306Exploitation of Stored Passwords 309

General Password Protection Measures 314Protecting the Network Against Social Engineers 315Understanding Technical Exploits 315

DoS Attacks That Exploit TCP/IP 316

The WinNuke Out-of-Band Attack 329

Attacking with Trojans,Viruses, and Worms 334Trojans 336Viruses 337Worms 338

Summary 343

Resources 346

Chapter 7 Understanding Cybercrime Prevention 349

Introduction 350Understanding Network Security Concepts 351Applying Security Planning Basics 352

The Importance of Multilayered Security 353

Removing Intrusion Opportunities 354Talking the Talk: Security Terminology 355Importance of Physical Security 357

Understanding Basic Cryptography Concepts 364Understanding the Purposes of Cryptographic Security 364

Providing Confidentiality of Data 372

Scrambling Text with Codes and Ciphers 373

Securing Data with Cryptographic Algorithms 378How Encryption Is Used in Information Security 380

Cybercriminals’ Use of Encryption and Steganography 386Making the Most of Hardware and Software Security 387Implementing Hardware-Based Security 387

Packet Filtering 395

Forming an Incident Response Team 398Designing and Implementing Security Policies 401Understanding Policy-Based Security 401

Why This Matters to the Investigator 403

Components of an Organizational Security Plan 404Defining Areas of Responsibility 404

Assessing Threats and Threat Levels 407Analyzing Organizational and Network Vulnerabilities 409Analyzing Organizational Factors 412

Complying with Security Standards 415

Establishing Scope and Priorities 422Policy Development Guidelines 422

Educating Network Users on Security Issues 425

Chapter 8 Implementing System Security 431

Introduction 432

Implementing Broadband Security Measures 436

Disabling File and Print Sharing 445

Implementing Browser and E-Mail Security 452

JavaScript 454ActiveX 455Java 455Making Browsers and E-Mail Clients More Secure 456Restricting Programming Languages 456Keep Security Patches Current 457

Handling Directory and Data Structures 468

Backups 470

Maintaining Integrity 470

Understanding Security and Microsoft Operating Systems 471General Microsoft Security Issues 472NetBIOS 472Widespread Automated Functionality 473

Securing Windows 9x Computers 475

Securing a Windows NT 4.0 Network 478Securing a Windows 2000 Network 481Windows NET:The Future of Windows Security 483Understanding Security and UNIX/Linux Operating Systems 483Understanding Security and Macintosh Operating Systems 487

Auditing for UNIX and Linux Platforms 508Firewall Logs, Reports, Alarms, and Alerts 510

Tracing a Domain Name or IP Address 522Commercial Intrusion Detection Systems 524Characterizing Intrusion Detection Systems 525

IP Spoofing and Other Antidetection Tactics 532Honeypots, Honeynets, and Other “Cyberstings” 533Summary 536

Resources 542

Chapter 10 Collecting and Preserving Digital Evidence 545

Introduction 546Understanding the Role of Evidence in a Criminal Case 548

The Role of Crime Scene Technicians 555

Role of Imaging in Computer Forensics 563

“Snapshot”Tools and File Copying 563

Retaining Time and Datestamps 565Preserving Data on PDAs and Handheld Computers 565

Recovering “Deleted” and “Erased” Data 567

Detecting Steganographic Data 569

Defeating Data Recovery Techniques 578

Documenting the Chain of Custody 583

Computer Forensics Training and Certification 584Computer Forensics Equipment and Software 585

Computer Forensics Information 587

Searching and Seizing Digital Evidence 588

Basic Criminal Justice Theory 620

Overcoming Obstacles to Effective Prosecution 636

Defining Areas of Responsibility 650

Testifying as an Evidentiary Witness 652Testifying as an Expert Witness 652

This book, more than any other I’ve written up to this point in my life, was a labor

of love It allowed me to combine the knowledge and experience of two careers(over a decade in government and law enforcement, and close to another decade

in the computer field, encompassing almost 20 years of working with computers as ahobbyist).When I was a working police officer, computer crime was an esoteric specialty area—investigators in small- and medium-sized agencies rarely encountered

a case involving digital evidence, and the term cybercrime was unheard of in most

police circles

Today, all of that has changed In fact, our whole way of life has changed over the past two decades, and many of those changes can be directly attributed to theInternet I met my husband on the Net in 1994, when I was still a cop and he waspracticing medicine.We’ve come a long way, baby, since then

Today, the two of us make our livings online, as authors, consultants, andproviders of online training Ninety percent of our business is conducted via theInternet Many of our friendships began in the virtual world, and we use e-mail tokeep in touch with family members in remote locations, with whom we probablywould rarely have contact otherwise.There are plenty of others out there like us,whose “real world” lives are inextricably intertwined with the time that we spend inthe netherworld of cyberspace It is inevitable, I suppose, that members of the sameantisocial element of society I dealt with as a police officer would find their waysonto the Net, as well

The more I delved into the intricacies of computers and networking in pursuit

of my new profession, the more I was reminded of my old one as I realized that thecommercialization and widespread use of the Internet provided opportunities for thescam artists, thieves, child pornographers, drug dealers and abusive personalities thatmake up every law enforcement officer’s cadre of “clientele.”Yet much of the lawenforcement world seemed to lag behind when it came to technology In the late

xxv

Foreword

1990s, there were still many agencies across the country where cops did their reports

by hand and police secretaries were the only ones in the office who had computers,which they used as nothing more than fancy word processors

When it comes to computer crimes, the criminals got a big head start But thelaw enforcement community in the twenty-first century seems to have finally awak-ened to the fact that resistance is futile and computers are here to stay I’ve watched

my former police colleagues struggle to understand this Brave New World where theonce-tangible “tool of the crime” can be an ethereal series of bits and bytes, whereoffenses can be committed by “remote control” from hundreds or thousands of milesaway, and where the rules of evidence have been turned upside down by the nature

of digital communication I also began to realize, as cybercrime became the hot topic

of the day, that many of my fellow information technology professionals know a lotabout programming and network administration but understand very little about thelaw Hanging out in techie newsgroups and sorting through posts to police-onlymailing lists, I saw a pattern emerging: the information and communication gapbetween law enforcement and IT was obvious from both sides of the fence As Iheard misperceptions repeated on both sides—misperceptions that made it impossiblefor the police and IT professionals to combine their talents and efforts against cyber-criminals—I kept thinking, “Someone should write a book.” So I did

My goal in writing this book is to reach a dual audience; I hope to give othertechnical experts a little peek into the law enforcement world, a highly structuredenvironment where the “letter of the law” is paramount and procedures must be followed closely lest an investigation be contaminated and all the evidence collectedrendered useless I also hope to provide law enforcement officers with an idea ofsome of the technical aspects of how cybercrimes are committed—and how tech-nology can be used to track down and build a case against the criminals who committhem I want to provide a roadmap that those on both sides of the table can use tonavigate the legal and technical landscape, so that together we can understand,

prevent, detect, and successfully prosecute the criminal behavior that is as much athreat to the online community as “traditional” crime is to the neighborhoods inwhich we live

The first chapter, “Facing the Cybercrime Problem Head On,” provides a broadoverview of cybercrime: what it is (and isn’t), ways in which it’s different from othertypes of crime (and ways in which it isn’t), and how we can break the larger concept

of “cybercrime” down into categories that make it more manageable to discuss, late, enforce, and ideally, prevent.This is where you’ll find statistics and formal defini-tions, as well as a brief introduction to some of the topics that will be covered in

legis-more detail in later chapters, such as jurisdictional issues and the nature of local, state,national, and international law regulating online behavior.The chapter ends with aproposal for educating cybercrime fighters at all levels (not only technical profes-sionals and law enforcement officers, but also members of other parts of the criminaljustice system, legislators, and the community at large) and explains how a unitedeffort is the only way we’ll ever be able to take a significant “byte” out of cyber-crime.

Chapter 2, “Reviewing the History of Cybercrime,” steps back to take a ical perspective Cybercrime didn’t just “appear” overnight, but there’s no doubt thatproportionately more criminal activity is occurring online today than in the earlyyears of the Internet.This chapter attempts to analyze the reasons for the rising crimerate in this “place” called cyberspace, by tracing the tremendous growth of the Netfrom its origins in the 1960s to its present incarnation as a major commercial andsociological force that reaches all over the world.We look at how both the tech-nology itself and the demographic makeup of the Internet have changed over theyears, and how that (along with the sheer numbers of people getting online eachyear) has contributed to the crime problem.This chapter also addresses the ways inwhich the advent of new technologies makes the lives of criminals—not just ourlives—easier

histor-Chapter 3, “Understanding the People on the Scene,” breaks momentarily fromthe concentration on technological and legal issues to explore the human element of

cybercrime Here we delve into the fascinating new realm of cyberpsychology, the study

of human behavior in cyberspace First we discuss the cybercriminals: common vations, personality types, and the differences between those who commit differenttypes of cybercrimes.We look at the art and science of criminal profiling and how itcan be applied to online lawbreakers But we don’t stop there.The criminals aren’tthe only ones on the scene of the cybercrime whom the investigator needs to under-stand.We also discuss how to apply the principles of victimology to those who fallprey to cybercriminals, and how an understanding of these principles can help topredict the criminals’ behavior and aid in apprehension, along with helping to pre-vent others from being victimized in the future Next, we focus on the cybercrimesinvestigator Here you’ll learn about the characteristics that contribute to being agood cyber-detective, and the skills that are required to do the job Finally, we brieflydiscuss the role played by company executives and managers in the cases of cyber-crimes that involve corporate networks, and how management personnel can provide

moti-an importmoti-ant service by acting as liaison between law enforcement officers moti-and ITpersonnel

Chapter 4, “Understanding Computer Basics,” plunges you head first into thetechnical details of how computers work.We provide a “fast track” course (or forsome readers, a review) of computer hardware basics, explaining the binary languageused by machines to process information and communicate with one another, and

we describe how software—especially the operating system—functions as the

“middle man” between user and machine Each section of this chapter includes asubsection titled “Why This Matters to the Investigator,” that explains the significance

of the information in terms of conducting a criminal investigation

Chapter 5 is titled “Understanding Networking Basics” and is a natural tion of the information in the preceding chapter Here we focus on network com-munications, describing how they work and introducing you to the hardware andsoftware components that make them possible.You learn about the function of net-working hardware (hubs, switches, routers, and more) and you find out about clientand server software, network file systems, and protocols Finally, we focus more tightly

continua-on the TCP/IP protocol suite that forms the basis of communicaticontinua-ons continua-on the

Internet and on most large networks today.You’ll learn about addressing, routing andname resolution, and how TCP/IP utilities can be used to gather information aboutthe network Once again, we provide “Why This Matters to the Investigator” sections

to tie the technical details back to the work of a cybercrime fighter

Chapter 6, “Understanding Network Intrusions and Attacks,” addresses a specifictype of cybercrime—the type that is generally committed by more technically savvycriminals (although you’ll learn how “script kiddies” with limited knowledge andskills can also launch these attacks using tools provided by more sophisticated

hackers).This chapter looks at the pre-intrusion activities that a hacker may engage

in while he or she prepares to attack, and then it moves on to the methods hackersuse for gaining entry to networks and/or bringing them down.We include a section

on password cracking, and discuss the different types of technical exploits that use thecharacteristics of common applications, operating systems, and protocols to createDenial of Service and other network disruptions

Chapter 7 is titled “Understanding Cybercrime Prevention” and it starts with anoverview of computer and network security concepts.We discuss physical securityand the differences between hardware-based and software-based security products,and you learn why a multi-layered security plan is essential in today’s threat-intensiveworld and how to develop one.We get specific in this chapter, explaining how

authentication, confidentiality, and data integrity can be provided using cryptographictechniques; you’ll also learn about new methods of identifying network users such

as smart cards and biometrics Another important topic addressed here is firewall

technology, as well as packet, circuit, and application filtering—you’ll learn how thesetechnologies protect the network.We also discuss digital certificates and the PublicKey Infrastructure, and wrap it up with an overview of incident response planningand a detailed discussion of security policies and how they are developed and implemented.

Chapter 8, “Implementing System Security,” gets down to the nitty-gritty abouthow to implement security measures in specific cases and with specific technologiesand software.You learn about steps that can be taken to protect broadband connec-tions, ways to make Web browsing safer, and how network administrators can protectWeb servers from attack Next we look at operating system security.You’ll find out

some of the ways that the different Microsoft operating systems (Windows 9x, NT

and 2000) are vulnerable to hack attacks and what can be done about it.We also talkabout securing UNIX and Linux-based computers, and how security issues affect theMacintosh operating systems, especially Apple’s new UNIX-based OS X Finally, wetouch on mainframe security and how wireless networking can be made more secure.Chapter 9 deals with “Implementing Cybercrime Detection Techniques.”Thischapter focuses on the issue central to the criminal investigation: gathering informa-tion that may be relevant to identifying and apprehending the cybercriminal and thatmight also serve as evidence in the criminal case.You’ll learn here how to use secu-rity auditing and read log files, including firewall logs and reports.Then we discusshow to unravel the mystery of e-mail headers to develop clues that lead you back tothe sender.You’ll find out how to trace domain names and IP addresses, and filterthrough the wealth of information that is available when you use a commercialIntrusion Detection System (IDS).You’ll also learn about the methods that criminalsuse to hide their identities and avoid detection, such as IP spoofing

Chapter 10, “Collecting and Preserving Digital Evidence,” is the “meat and toes” that takes the investigator all the way into the world of computer forensics.Here you learn about how to recover files and bits of data that the suspect may havethought were deleted or erased.You’ll also learn about ways to access encrypted dataand to find steganographic data that can be hidden, using special software, insideother files.You’ll learn about all the places that data can hide on a disk, including fileslack, alternate data streams, and partition gaps.You’ll find out where to look for “for-gotten” evidence that is often left behind in Web caches, history logs, swap files, andother locations.We’ll provide step-by-step guidelines for searching and seizing com-puters and digital evidence, including specific tasks performed by first responders,investigators, and crime scene technicians.We’ll tell you how to preserve volatile evi-dence (evidence that disappears when the computer is powered down) and how to

pota-use disk imaging techniques to create exact bitstream duplicates of suspect hard disks

so the original can be preserved in its original state.We talk about environmental tors that can affect digital evidence, and how it should be packaged and documented.Next, we look at the legal issues surrounding search and seizure, including searchwarrant requirements, search without a warrant, and Fourth Amendment issues, andhow the courts have applied them to computer-related cases.We also include a section on the ways in which the U.S Patriot Act has changed the law in regard toelectronic evidence

fac-Chapter 11, “Building the Cybercrime Case,” takes you beyond the apprehension

of the cybercriminal and the collection of evidence, and shows you how to puttogether all the information you’ve gathered in the course of the investigation toprove the prosecution’s case.We talk first about some of the difficulties peculiar tocybercrimes, including the lack of concrete definitions and the jurisdictional

dilemma.You’ll learn about basic criminal justice theory and the bodies and levels oflaw.You’ll also learn the differences between civil and criminal law and how they cansometimes overlap in computer-related cases.We discuss the “naturally adversarial”relationship that often arises between law enforcement officers and IT personnel,provide some explanations for why it occurs, and offer some suggestions to helpcreate more cooperation between the two camps.Then we look at the investigativeprocess, including how to evaluate evidence and how to use the standard investigativetools (information, interview/interrogation, and instrumentation) to facilitate theinvestigation.We outline the typical steps in an investigation, and how to define areas

of responsibility so that the investigative team works most effectively Finally, we talkabout the last step in the process—testifying in a cybercrimes case.We approach thisfrom the standpoints of both evidentiary and expert witnesses, and include some tips

on understanding the trial process and dealing with the opposing attorneys’ tactics.Throughout the book, we provide several types of sidebars to supplement themain text In addition to explanatory Notes, we include the following:

■ CyberStats These sidebars provide statistical information related to thetopic at hand

■ Crimestoppers These sidebars provide information about tools and niques that can be used to help prevent or detect cybercrimes

tech-■ CyberLaw Review These sidebars discuss legal aspects of the topic beingdiscussed in the text, including related statutes and case law citations

■ On the Scene These are real life accounts of cybercrime investigators andadvice based on experiences in the field

You’ll find a lot of citations of other sources as you go through the text.Thisbook was intended to serve as handbook or reference, and I wanted to create some-thing that could be used as a text for introductory cybercrimes courses (includingthose that I plan to teach), but I also wanted it to be readable and interesting, not adry academic-styled textbook I’ve tried to deal in concepts as well as specifics Iwant readers to understand the “big picture,” not just how to implement varioussecurity solutions or how to use various forensics techniques.The laws and tech-niques will change over the years, but the concepts that form the foundation ofcybercrime fighting will remain the same.

Due to the dynamic nature of the World Wide Web, some of the online resources

we cite herein may be gone or relocated by the time you read this book Please let usknow about any dead links; we will attempt to track down new sources for the same

or similar information and post them on my Web site at www.sceneofthecybercrime.com and/or the publisher’s Web site at www.syngress.com/solutions.You can e-mail

me at debshinder@sceneofthecybercrime.com

Finally, I wanted this to be a friendly book, one that could be enjoyed by “just

plain folks” who are interested in computer forensics and cybercrime as well as byprofessionals in the law enforcement and technology fields I hope I’ve accomplishedthat My wish is that you will have as much fun reading it as I had writing it, andthat it will make you think about the constantly evolving nature of both law andtechnology—just as it forced me to think (and rethink) many of my own ideas about

“how things work” as I put them down in words

Facing the Cybercrime Problem Head On

Topics we'll investigate in this chapter:

Today we live and work in a world of global connectivity.We can exchangecasual conversation or conduct multimillion dollar monetary transactions withpeople on the other side of the planet quickly and inexpensively.The prolifera-tion of personal computers, easy access to the Internet, and a booming market forrelated new communications devices have changed the way we spend our leisuretime and the way we do business

The ways in which criminals commit crimes is also changing Universal ital accessibility opens up new opportunities for the unscrupulous Millions ofdollars are lost to computer-savvy criminals by both businesses and consumers.Worse, computers and networks can be used to harass victims or set them up forviolent attacks—even to coordinate and carry out terrorist activities that threaten

dig-us all Unfortunately, in many cases law enforcement agencies have lagged behindthese criminals, lacking the technology and the trained personnel to address this

new and growing threat, which has been aptly termed cybercrime.

Until recently, many information technology (IT) professionals lacked ness of and interest in the cybercrime phenomenon In many cases, law enforce-ment officers have lacked the tools needed to tackle the problem; old laws didn’tquite fit the crimes being committed, new laws hadn’t quite caught up to thereality of what was happening, and there were few court precedents to look tofor guidance Furthermore, debates over privacy issues hampered the ability ofenforcement agents to gather the evidence needed to prosecute these new cases.Finally, there was a certain amount of antipathy—or at the least, distrust—

aware-between the two most important players in any effective fight against cybercrime:law enforcement agents and computer professionals.Yet close cooperation

between the two is crucial if we are to control the cybercrime problem and makethe Internet a safe “place” for its users

Law enforcement personnel understand the criminal mindset and know thebasics of gathering evidence and bringing offenders to justice IT personnelunderstand computers and networks, how they work, and how to track downinformation on them Each has half of the key to defeating the cybercriminal.This book’s goal is to bring the two elements together, to show how they bothcan and must work together in defending against, apprehending, and prosecutingpeople who use modern technology to harm individuals, organizations,

businesses, and society

Quantifying the Crisis

Cybercrime: It sounds exotic, the stuff of which futuristic science fiction novels are

made However, law enforcement officers, network administrators, and otherswho deal with crime and/or cyberspace are discovering that the future is now,and cybercrime is a big and growing problem For example:

■ According to the Internet Fraud Complaint Center (IFCC), a ship between the Federal Bureau of Investigation (FBI) and the NationalWhite Collar Crime Center, between May 2000 and May 2001, its firstyear of operation, the IFCC Web site received 30,503 complaints ofInternet fraud (The full report can be downloaded in PDF format atwww1.ifccfbi.gov/strategy/IFCC_Annual_Report.pdf.)

partner-■ According to the Computer Security Institute’s Computer Crime and

Security Survey for 2001, conducted in conjunction with the FBI’s

Computer Intrusion Squad, 186 responding corporations and ment agencies reported total financial losses of over US$3.5 million, dueprimarily to theft of proprietary information and financial fraud (seewww.gocsi.com/press/20020407.html)

govern-■ According to the Cybersnitch Voluntary Online Crime ReportingSystem, Internet-related crimes range from desktop forgery to childpornography and include such potentially violent crimes as electronicstalking and terrorist threats (A full list of reported cybercrimes is available at www.cybersnitch.net/csinfo/csdatabase.asp.)

■ According to Meridien Research, as reported at epaynews.com(www.epaynews.com/statistics/fraud.html), the cost of Internet fraud isexpected to reach between US$5 billion and US$15 billion by 2005

Although almost anyone has the potential to be affected by cybercrime, twogroups of people must deal with this phenomenon on an ongoing basis:

■ Information technology professionals, who are most often responsible forproviding the first line of defense and for discovering cybercrime when

it does occur

■ Law enforcement professionals, who are responsible for sorting through abewildering array of legal, jurisdictional, and practical issues in theirattempts to bring cybercriminals to justice

Although it is imperative to the success of any war against cybercrime thatthese two groups work together, often they are at odds because neither has a realunderstanding of what the other does or of the scope of their own roles in thecybercrime-fighting process.

Police departments in the United States and the rest of the world are lishing computer crimes units, and cybercrime makes up a large proportion ofthe offenses investigated by these units.The National Cybercrime Training

estab-Partnership (NCTP) encompasses local, state, and federal law enforcement cies in the United States.The International Association of Chiefs of Police

agen-(IACP) hosts an annual Law Enforcement Information Management trainingconference that focuses on IT security and cybercrime.The European Union hascreated a body called the Forum on Cybercrime, and a number of European

Charting the Online Population Explosion

Nua Internet Surveys showed that as of February 2002, approximately

544 million people were online worldwide As the global population becomes more and more “connected,” the opportunities for criminals to use the Net to violate the law will expand, and cybercrime will touch more and more lives.

Cy berStats…

states have signed the Council of Europe’s Convention on Cybercrime treaty,which attempts to standardize European laws concerning crime on the Internet.

Each organization and the authors of each piece of legislation have their ownideas of what cybercrime is—and isn’t.These definitions may vary a little or a lot

To effectively discuss cybercrime in this book, however, we need a working nition.Toward that end, we start with a broad, general definition and then definespecific cybercriminal offenses

defi-Moving from the General to the Specific

Cybercrime can be generally defined as a subcategory of computer crime.Theterm refers to criminal offenses committed using the Internet or another com-puter network as a component of the crime Computers and networks can beinvolved in crimes in several different ways:

■ The computer or network can be the tool of the crime (used to committhe crime)

■ The computer or network can be the target of the crime (the “victim”)

■ The computer or network can be used for incidental purposes related tothe crime (for example, to keep records of illegal drug sales)

Figure 1.1The word cybercrime doesn’t appear in most dictionaries, including Microsoft’s online Encarta.

To be enforceable, laws must be specific It is useful to provide a general definition to be used in discussion, but criminal offenses consist of specific acts

or omissions, together with a specified culpable mental state

In many instances, specific pieces of legislation contain definitions of terms.This is necessary to avoid confusion, argument, and litigation over the applica-bility of a law or regulation.These definitions should be as narrow as possible, butlegislators don’t always do a good job of defining terms (and sometimes don’tdefine them at all, leaving it up to law enforcement agencies to guess, until thecourts ultimately make a decision)

One of the biggest criticisms of the European treaty is its overly broad

defini-tions For example, the definition of the term service provider is so vague that it

could be applied to someone who sets up a two-computer home network, and

the definition of computer data, because it refers to any representation of facts,

information, or concepts in any form suitable for processing in a computersystem, would include almost every possible form of communication, includinghandwritten documents and the spoken word (which can be processed by hand-writing and speech recognition software) Likewise, the U.S Department of

Justice (DoJ) has been criticized for a definition of computer crime that specifies

“any violation of criminal law that involved the knowledge of computer nology for its perpetration, investigation, or prosecution” (reported in the August

tech-2002 FBI Law Enforcement Bulletin) Under such a definition, virtually any crime

could be classified as a computer crime, simply because a detective searched acomputer database as part of conducting an investigation

These examples illustrate the difficulty of creating usable definitions of crime and related terms Later in this chapter, we will develop our own workingdefinition of cybercrime for the purposes of this book

cyber-Understanding the Importance

occurs For example, if someone assaults you, you would file charges with thelocal police in the city or town where the assault actually took place.

Because cybercrimes often occur in the virtual “place” we call cyberspace, itbecomes more difficult to know what laws apply In many cases, offender andvictim are hundreds or thousands of miles apart and might never set foot in thesame state or even the same country Because laws can differ drastically in dif-ferent geographic jurisdictions, an act that is outlawed in one location could belegal in another

What can you do if someone in California, which has liberal obscenity laws,makes pornographic pictures available over the Internet to someone in Tennessee,where prevailing community standards—on which the state’s laws are based—aremuch more conservative? Which state has jurisdiction? Can you successfully prosecute someone under state law for commission of a crime in a state wherethat person has never been? As a matter of fact, that was the subject of a land-

mark case, U.S v.Thomas and Thomas (see the “CyberLaw Review” sidebar in

this section)

Even if the act that was committed is illegal across jurisdictions, however, youmight find that no one wants to prosecute because of the geographic nightmareinvolved in doing so (see the “On the Scene” sidebar in this section for anexample of one officer’s experience)

We discuss jurisdictional issues in much more depth and detail in Chapter 11,

“Building the Cybercrime Case.”

U.S v Thomas and Thomas

Robert and Carleen Thomas, residents of California, were charged with violation of the obscenity laws in Tennessee when a Memphis law enforcement officer downloaded sexually explicit materials from their California bulletin board service (BBS) to a computer in Tennessee This was the first time prosecutors had brought charges in an obscenity case

in the location where the material was downloaded rather than where

it originated The accused were convicted, and they appealed; the

appeals court upheld the conviction and sentences; the U.S Supreme Court rejected their appeal.

Cy berLaw Review…